Domain transition missing

Vadym Chepkov chepkov at yahoo.com
Sat Jul 4 12:48:26 UTC 2009 

I really get used to running my scripts unconfined, how I can accomplish it in this scenario?

Sincerely yours,
  Vadym Chepkov


--- On Sat, 7/4/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: Domain transition missing
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: "Fedora SELinux" <fedora-selinux-list at redhat.com>
> Date: Saturday, July 4, 2009, 8:41 AM
> On Sat, 2009-07-04 at 14:38 +0200,
> Dominick Grift wrote:
> > On Sat, 2009-07-04 at 05:11 -0700, Vadym Chepkov
> wrote:
> > > Hi,
> > > 
> > > Last night I got a nasty surprise from selinux. I
> am using winbind for external authentication and since it
> has history of failures I have a simple watchdog implemented
> to check the status and restart it if necessary. That
> is  what happened last night and as a law abiding
> selinux citizen I used 'service winbind restart', but it
> seems the proper domain transitions is missing and winbind
> was started in system_cronjob_t domain instead of winbind_t
> and none of other domains could connect to it.
> > > 
> > > I think jobs running from cron should be granted
> the same transition rules as  from unconfined_t. 
> > > 
> > > I will file bugzilla report about it, but could
> somebody help me with modifying my local policy until/if it
> gets implemented, please? Thank you.
> > > 
> > > Sincerely yours,
> > >   Vadym Chepkov
> > 
> > A domain transition would be:
> > 
> > policy_module(mywinbind, 0.0.1)
> > 
> > require { type system_cronjob_t, winbind_exec_t,
> winbind_t; }
> > domain_auto_trans(system_cronjob_t, winbind_exec_t,
> winbind_t)
> > 
> > Can you show us the full raw avc denial?
> 
> 
> But personally would deal with this in a different way. I
> would write
> policy for the script that restarts winbind and then i
> would create a
> domain transition for the domain in which the script runs
> to winbind_t.
> 
> Mainly because i wouldnt want to extend/modify
> system_cronjob_t
> 
> So: system_cronjob_t -> myscript_exec_t -> myscript_t
> -> winbind_exec_t
> -> winbind_t
> 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> 
>

More information about the fedora-selinux-list mailing list